From: Peter Todd <pete@petertodd•org>
To: Antoine Riard <antoine.riard@gmail•com>
Cc: Bitcoin Protocol Discussion
<bitcoin-dev@lists•linuxfoundation.org>,
security@ariard•me,
"lightning-dev\\\\@lists.linuxfoundation.org"
<lightning-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely
Date: Tue, 14 Nov 2023 19:50:04 +0000 [thread overview]
Message-ID: <ZVPPbNdmPxahOGqA@petertodd.org> (raw)
In-Reply-To: <CALZpt+FEwjwQQWY6TBFuWeZbqC6Ywa7eSTcpqYuQPZ6+6QBzaw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 5959 bytes --]
On Mon, Nov 13, 2023 at 02:18:16AM +0000, Antoine Riard wrote:
> Your two latest mails.
>
> > The problem that OP_Expire aims to solve is the fact that Carol could
> prevent
> > Bob from learning about the preimage in time, while still getting a
> chance to
> > use the preimage herself. OP_Expire thoroughly solves that problem by
> ensuring
> > that the preimage is either broadcast in the blockchain in a timely
> fashion, or
> > becomes useless.
>
> I respectfully disagree - There is a more general underlying issue for
> outdated states in multi-party off-chain constructions, where any "revoked"
> or "updated" consensus-valid state can be used to jam the latest off-chain
> agreed-on, through techniques like replacement cycling or pinning.
No, that's not a general underlying issue. You've found two separate issues.
Furthermore, revoked states are clearly different than HTLCs: they're
fraudulent, and thus in punishment-using protocols they are always associated
with high risks of loss if they do in fact get detected or mined. There's
probably tweaks we can do to improve this security. But the general principle
there is certainly true.
> > My suggestion of pre-signing RBF replacements, without anchor outputs,
> and with
> > all outputs rendered unspendable with 1 CSV, is clearly superior: there
> are
> > zero degrees of freedom to the attacker, other than the possibility of
> > increasing the fee paid or broadcasting a revoked commitment. The latter
> of
> > course risks the other party punishing the fraud.
>
> Assuming the max RBF replacement is pre-signed at 200 sats / vb, with
> commitment transaction of ~268 vbytes and at least one second-stage HTLC
> transaction of ~175 vbytes including witness size, a channel counterparty
> must keep at worst a fee-bumping reserve of 35 268 sats, whatever payment
> value.
For a lightning channel to be economical at all in a general routing
environment, the highest likely fee has to be small enough for it to represent
a small percentage of the total value tied up in the Lightning channel. Tying
up a small percentage of the overall capacity for future fee usage is not a
significant expense.
> As of today, any payment under $13 has to become trimmed HTLCs.
> Trimmed HTLCs are coming with their own wormhole of issues, notably making
> them a target to be stolen by low-hashrate capabilities attackers [0].
>
> [0]
> https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-May/002714.html
That attack doesn't make sense. HTLCs go to fees at a certain feerate. In a
normal environment where there is a constant supply of fee paying transactions,
the profit for the miner is not the total HTLC value, but the increase in
feerate compared to the transactions they had to give up to mine the commitment
transaction.
Second, it's obvious that the total trimmed HTLCs should be limited to what
would be a reasonable transaction fee. A situation where you have 80% of the
channel value going to fees due to a bunch of small HTLCs is obviously
ridiculous, and to the extent that existing implementations have this issue,
should be fixed.
For RBF fee bumping, obviously you can take the increased channel fees from the
party choosing to broadcast the commitment transaction.
> > This does have the practical problem that a set of refund transactions
> will
> > also need to be signed for each fee variant. But, eg, signing 10x of each
> isn't
> > so burdensome. And in the future that problem could be avoided with
> > SIGHASH_NOINPUT, or replacing the pre-signed refund transaction mechanism
> with
> > a covenant.
>
> I think if you wish to be safe against fees griefing games between
> counterparties, both counterparties have to maintain their own fee-bumping
> reserves, which make channel usage less capital efficient, rather than
> being drawn from a common reserve.
Yes, obviously. But as I said above, it just doesn't make sense for channels to
be in a situation where closing them costs a significant % of the channel value
in fees, so we're not changing the status quo much.
> > Using RBF rather than CPFP with package relay also has the advantage of
> being
> > more efficient, as no blockspace needs to be consumed by the anchor
> outputs or
> > transactions spending them. Of course, there are special circumstances
> where
> > BIP125 rules can cause CPFP to be cheaper. But we can easily fix that, eg
> by
> > reducing the replacement relay fee, or by delta-encoding transaction
> updates.
>
> It is left as an exercise to the reader how to break the RBF approach for
> LN channels as proposed.
Do you have a concrete attack?
> > As SIGHASH_NOINPUT is desirable for LN-Symmetry, a softfork containing
> both it
> > and OP_Expire could make sense.
>
> I think there is one obvious issue of pre-signing RBF replacements combined
> with LN-symmetry, namely every state has to pre-commit to fee values
> attached and such states might spend each other in chain. So now you would
> need `max-rbf-replacement` * `max-theoretical-number-of-states` of
> fee-bumping reserves unless you can pipe fee value with some covenant
> magic, I think.
No, you are missing the point. RBF replacements can use SIGHASH_NOINPUT to sign
HTLC refund transactions, removing the need for a set of different HTLC refund
transactions for each different feerate of the commitment transaction.
I'm making no comment on how to do RBF replacements with LN-Symmetry, which I
consider to be a broken idea in non-trusted situations anyway. Removing justice
from Lightning is always going to be hopelessly insecure when you can't at
least somewhat trust your counterparty. If your usage of LN-Symmetry is
sufficiently secure, you probably don't have to worry about them playing fee
games with you either.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2023-11-14 19:50 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-16 16:57 [bitcoin-dev] Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us" Antoine Riard
2023-10-16 19:13 ` Peter Todd
2023-10-16 22:10 ` Matt Morehouse
2023-10-17 1:11 ` Antoine Riard
2023-10-20 10:47 ` Peter Todd
2023-10-20 11:18 ` Jochen Hoenicke
2023-10-16 22:51 ` Olaoluwa Osuntokun
2023-10-17 7:21 ` [bitcoin-dev] [Lightning-dev] " ziggie1984
2023-10-17 10:34 ` ZmnSCPxj
2023-10-17 18:34 ` Antoine Riard
2023-10-20 10:31 ` Peter Todd
2023-10-20 11:03 ` Peter Todd
2023-10-20 18:35 ` Matt Morehouse
2023-10-20 21:05 ` Matt Corallo
2023-10-21 0:15 ` Peter Todd
2023-10-21 1:03 ` Matt Corallo
2023-10-21 1:25 ` Peter Todd
2023-10-21 1:55 ` Matt Corallo
2023-10-21 2:43 ` Peter Todd
2023-10-23 16:09 ` Matt Corallo
2023-10-17 17:47 ` Antoine Riard
2023-10-17 18:47 ` Antoine Riard
2023-10-18 0:17 ` Matt Corallo
2023-10-18 2:57 ` Antoine Riard
2023-10-19 8:12 ` Bastien TEINTURIER
2023-10-19 16:23 ` Matt Morehouse
2023-10-19 17:22 ` Antoine Riard
2023-10-19 17:53 ` Matt Morehouse
2023-10-19 19:33 ` Antoine Riard
2023-10-21 0:18 ` Olaoluwa Osuntokun
2023-11-17 22:36 ` Antoine Riard
2023-10-19 18:02 ` Matt Corallo
2023-10-20 6:56 ` [bitcoin-dev] " Antoine Riard
2023-10-21 20:05 ` Antoine Riard
2023-10-27 0:43 ` Peter Todd
2023-11-02 4:46 ` Antoine Riard
2023-10-21 0:09 ` [bitcoin-dev] OP_Expire and Coinbase-Like Behavior: Making HTLCs Safer by Letting Transactions Expire Safely Peter Todd
2023-10-21 8:58 ` David A. Harding
2023-10-21 10:31 ` Peter Todd
2023-10-22 8:30 ` vjudeu
2023-10-23 11:10 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2023-10-23 15:45 ` Peter Todd
2023-11-02 5:24 ` [bitcoin-dev] " Antoine Riard
2023-11-02 6:26 ` Peter Todd
2023-11-02 17:07 ` Matt Morehouse
2023-11-03 5:27 ` Antoine Riard
2023-11-03 5:25 ` Antoine Riard
2023-11-04 7:26 ` Peter Todd
2023-11-06 18:45 ` Antoine Riard
2023-11-07 11:11 ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2023-11-07 15:44 ` Antoine Riard
2023-11-08 0:51 ` [bitcoin-dev] " Peter Todd
2023-11-08 2:06 ` Peter Todd
2023-11-13 2:18 ` Antoine Riard
2023-11-14 19:50 ` Peter Todd [this message]
[not found] ` <CALZpt+H38cU9L8kq0mSYCDirzL39fxhdoz4pAPiS8dGJP8akKg@mail.gmail.com>
2023-11-15 17:53 ` [bitcoin-dev] Fwd: " Antoine Riard
2023-10-22 4:49 ` [bitcoin-dev] Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us" Nadav Ivgi
2023-10-23 8:49 ` David A. Harding
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZVPPbNdmPxahOGqA@petertodd.org \
--to=pete@petertodd$(echo .)org \
--cc=antoine.riard@gmail$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=lightning-dev@lists$(echo .)linuxfoundation.org \
--cc=security@ariard$(echo .)me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox